MacOS X Circumvents Apache Security

cloudscout writes: "This Report at SecurityFocus.com warns of a problem with the Apache webserver running under Apple's new MacOS X operating system with the case-insensitive HFS+ filesystem. HFS+ is the default (and recommended) filesystem for MacOS X, yet its case-insensitive nature circumvents directory-based security in the Apache webserver that comes with the operating system. The Server version of MacOS X ships with a module that fixes this problem, but this module isn't available unless you purchase MacOS X Server. So much for Apple's boast about 'giving back to the open-source community.'"
From looking through SecurityFocus, this doesn't appear to be the only problem.

Re:So how does Apache cope on Windows?

[Coward,+Anonymous]

So how does Apache handle the Windows (NT or whatever) filesystem. Last time I looked that was case-insensitive too

Apache uses ap_os_canonical_filename() which on case sensitive unices is a macro to replace it with the filename, but the util_win32.c provides an ap_os_canonical_filename function which converts the name to lowercase thus allowing "This" and "ThiS" to match (both being returned as "this"), so something similar is needed on case-insensitive MacOS machines.

Saw this coming

[babbage]

This is just growing pains -- old school Mac used a case-insensitive filesystem, newschool Mac has to preserve support for both old HFS and new UFS. (Other Unix tools are hitting the same problem whenever case [in-]sensitivity comes up -- the MacPerl people for example are working through it at the moment, too...)

This is a problem that Apple saw coming, and handled, sorta, with a custom mod_whatever that tried to address the problem. Why they didn't release it (either as source or, if necessary, as a binary) with OSX client is a big question, and an unfortunate decision on their part, but at least it already exists. Maybe this negative publicity will get them to release it &/or fold it into the next update to the operating system.

Really though, if you're using OSX for the new &/or Unixy stuff, then you need to run it on a UFS partition so that things like this won't bite you in the ass. If you need support for OS9/Classic, then either it or the Unix stuff needs to go onto a different partition. If not, you'll constantly be hitting these sorts of problems...